{
	"id": "54c1e140-e569-4c17-babd-de629a37ff4e",
	"created_at": "2026-04-06T00:21:56.54141Z",
	"updated_at": "2026-04-10T03:36:48.131176Z",
	"deleted_at": null,
	"sha1_hash": "ac01531bddc32b58c133b3ed7429b025001ffad9",
	"title": "Chinese APT LongNosedGoblin Targets Government Networks in Southeast Asia and Japan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49450,
	"plain_text": "Chinese APT LongNosedGoblin Targets Government Networks in\r\nSoutheast Asia and Japan\r\nBy Written by\r\nPublished: 2025-12-19 · Archived: 2026-04-05 15:55:51 UTC\r\nThe Chinese APT tracked as LongNosedGoblin represents a highly structured cyberespionage operation focused\r\non government networks in Southeast Asia and Japan. The activity was uncovered during forensic analysis of a\r\ncompromised government environment, where investigators identified a collection of previously undocumented\r\nmalware families operating under centralized control. The tooling, delivery mechanisms, and operational pacing\r\nobserved throughout the campaign indicate a deliberate intelligence collection mission rather than a short-term\r\nintrusion or financially motivated attack.\r\nWhat sets this Chinese APT apart is not a single novel exploit, but the way it combines trusted enterprise\r\nmechanisms, selective deployment logic, and a modular malware ecosystem to quietly persist inside sensitive\r\nnetworks. LongNosedGoblin does not rely on loud exploitation frameworks or mass deployment. Instead, it uses\r\nreconnaissance-driven decision making to determine which systems warrant deeper compromise, significantly\r\nreducing exposure and detection risk.\r\nInitial Discovery and Scope of the Campaign\r\nThe campaign was first identified in early 2024 after analysts discovered an unfamiliar backdoor on a workstation\r\nbelonging to a Southeast Asian governmental entity. Further investigation revealed that this was not an isolated\r\ninfection. Multiple systems within the same domain had received different malicious payloads, all distributed\r\nthrough Active Directory Group Policy. This immediately suggested that the attackers had already obtained\r\nelevated privileges within the domain and were operating with administrator-level access.\r\nTimeline analysis later showed that some components of the operation had been active since at least September\r\n2023. Telemetry collected throughout 2024 and into 2025 indicates multiple waves of activity, including renewed\r\ndeployments and updated tooling. While most confirmed victims were located in Southeast Asia, at least one later\r\ncampaign targeted an organization in Japan, demonstrating a geographically consistent but expanding operational\r\nfocus.\r\nAbuse of Group Policy as a Primary Deployment Mechanism\r\nA defining characteristic of this Chinese APT campaign is its reliance on Group Policy Objects as a malware\r\ndistribution channel. Group Policy is a core administrative feature in Windows enterprise environments and is\r\nimplicitly trusted by most organizations. Once domain administrator privileges are obtained, Group Policy\r\nprovides a powerful and stealthy method to push executables, configuration files, and scripts across a network.\r\nLongNosedGoblin used this mechanism to deploy multiple malware families under filenames designed to blend\r\ninto the Group Policy cache. Executables were frequently disguised as configuration files, registry policy artifacts,\r\nhttps://botcrawl.com/chinese-apt-longnosedgoblin-targets-government-networks-in-southeast-asia-and-japan/\r\nPage 1 of 5\n\nor system utilities. Because Group Policy updates occur routinely, malicious payloads delivered in this manner are\r\nless likely to trigger alarms or attract administrator scrutiny.\r\nThis technique also provides built-in persistence. As systems refresh policy settings, malicious components can be\r\nredeployed automatically, allowing attackers to maintain access even if individual files are removed.\r\nReconnaissance-Driven Target Selection\r\nOne of the earliest tools deployed across compromised environments was a reconnaissance utility designed to\r\ncollect browser history from all local user profiles. This component, referred to by researchers as NosyHistorian,\r\nwas not a backdoor and did not provide interactive control. Instead, its sole purpose was to gather contextual\r\ninformation about how each system was used.\r\nBy harvesting browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox, the attackers were able\r\nto identify systems associated with sensitive workflows, internal portals, government services, or policy-related\r\nresearch. Collected data was staged internally on network shares rather than immediately exfiltrated to the\r\ninternet, reducing the likelihood of detection during the reconnaissance phase.\r\nData Protection Services\r\nOnly a small subset of systems identified through this process were selected for further compromise. This\r\nselective escalation strongly suggests that the Chinese APT prioritized intelligence value over coverage, a\r\ntradecraft decision typical of long-term espionage operations.\r\nNosyDoor Backdoor Architecture and Execution Flow\r\nSystems selected for deeper access received a custom backdoor known as NosyDoor. This backdoor operates\r\nthrough a multi-stage execution chain designed to evade security controls and blend into normal system activity.\r\nThe initial stage is a dropper deployed via Group Policy under filenames that mimic legitimate policy artifacts.\r\nThis dropper decrypts embedded components and installs them into directories that normally contain Microsoft\r\n.NET framework files. Filenames are deliberately chosen to closely resemble legitimate system binaries,\r\nincreasing the chance they will be overlooked during routine inspection.\r\nThe second stage abuses a legitimate Microsoft .NET executable through AppDomainManager injection. By\r\nsupplying a crafted configuration file, the attackers force the legitimate binary to load a malicious library during\r\ninitialization. This approach allows malicious code execution without introducing a suspicious process into\r\nmemory.\r\nDuring this stage, event tracing and antimalware scanning interfaces are deliberately disabled or bypassed. This\r\nprevents script inspection and reduces the visibility of subsequent payload execution.\r\nThe final stage is the NosyDoor backdoor itself, a C# application that establishes persistent command and control\r\ncommunication using cloud storage services.\r\nCloud-Based Command and Control Infrastructure\r\nhttps://botcrawl.com/chinese-apt-longnosedgoblin-targets-government-networks-in-southeast-asia-and-japan/\r\nPage 2 of 5\n\nRather than operating dedicated command servers, this Chinese APT relies heavily on legitimate cloud platforms\r\nfor command and control. Observed campaigns used services such as Microsoft OneDrive, Google Drive, and\r\nGoogle Docs to exchange commands, upload stolen data, and maintain task queues.\r\nFrom a network monitoring perspective, this traffic appears indistinguishable from legitimate user activity.\r\nAuthentication occurs through valid OAuth tokens, and data transfers use HTTPS connections to well-known\r\ncloud providers. This significantly complicates detection, particularly in government environments where cloud\r\nservices are widely used.\r\nData Protection Services\r\nNosyDoor encrypts collected system metadata using asymmetric cryptography before uploading it to cloud\r\nstorage. Commands are delivered in encrypted task files, which are periodically polled and processed by the\r\nbackdoor. Results are encrypted again before being uploaded as response files, maintaining confidentiality even if\r\ncloud storage is inspected.\r\nCapabilities of the NosyDoor Backdoor\r\nOnce active, NosyDoor provides full remote control over compromised systems. Supported functionality includes\r\nfile upload and download, directory enumeration, command execution, assembly loading, and configuration\r\nupdates. The backdoor also collects detailed system metadata such as operating system version, process\r\narchitecture, network configuration, and local timestamps.\r\nOperational hours can be configured, allowing the backdoor to remain dormant outside defined time windows.\r\nThis reduces the chance of detection during off-hours monitoring while still allowing queued commands to be\r\nprocessed when the backdoor resumes activity.\r\nError handling is implemented locally, with logs written to disk in locations that blend into existing directory\r\nstructures. These logs can provide operators with feedback on failed operations without generating network noise.\r\nCredential Theft and Data Collection Tooling\r\nIn addition to the primary backdoor, LongNosedGoblin deployed several specialized data collection tools. These\r\ninclude browser data stealers, keyloggers, and utilities designed to capture clipboard content, screen activity, and\r\naudio recordings.\r\nThe browser stealer component targets Chromium-based browsers and extracts stored credentials, cookies, and\r\nprofile data. Stolen data is archived, encrypted, and exfiltrated using cloud storage APIs. In some cases, data\r\nexfiltration is gated by configuration files retrieved from cloud documents, allowing operators to dynamically\r\nenable or disable collection on a per-victim basis.\r\nThe keylogger component operates in memory and stores encrypted keystroke logs locally. Data is periodically\r\nflushed to disk in encrypted form, reducing the risk of detection by real-time monitoring tools.\r\nAdditional tooling observed in the environment includes an argument runner used to execute multimedia\r\nrecording software. This allowed attackers to capture audio and video output from selected systems, indicating an\r\nhttps://botcrawl.com/chinese-apt-longnosedgoblin-targets-government-networks-in-southeast-asia-and-japan/\r\nPage 3 of 5\n\ninterest in monitoring internal meetings or restricted workflows.\r\nUse of Downloaders and Secondary Payloads\r\nLongNosedGoblin also deployed a PowerShell-based downloader that executed multi-stage payloads entirely in\r\nmemory. Each stage is encoded, compressed, and decrypted at runtime, minimizing on-disk artifacts. Antimalware\r\nscanning interfaces are explicitly bypassed during execution.\r\nThis downloader was used to deploy additional components, including a reverse SOCKS5 proxy that provided\r\ninteractive network access from within the compromised environment. By tunneling traffic through internal\r\nsystems, the attackers could reach services not directly exposed to the internet.\r\nAttribution and Malware Sharing Indicators\r\nWhile the campaign is attributed to a Chinese APT based on targeting, tradecraft, and infrastructure patterns, some\r\ncomponents of the toolset appear to be shared across multiple China-aligned operations. Variants of the NosyDoor\r\nbackdoor have been observed in unrelated incidents using different cloud providers and targeting different regions.\r\nDebugging paths and internal markers suggest that some malware may be developed or distributed commercially\r\nwithin a broader ecosystem. This indicates that certain tools are likely reused, licensed, or sold between operators\r\nrather than being exclusive to a single group.\r\nDespite this overlap, the consistent abuse of Group Policy for lateral movement remains a distinguishing\r\ncharacteristic of LongNosedGoblin activity.\r\nImplications for Government Network Defenders\r\nThe LongNosedGoblin campaign demonstrates how trusted administrative features can be turned into stealthy\r\nattack vectors once domain-level access is achieved. Traditional defenses focused on exploit detection or\r\nperimeter monitoring are insufficient against this type of operation.\r\nDefenders should closely audit Group Policy changes, monitor scheduled task creation, and treat cloud service\r\nauthentication events as potential command and control activity. Domain administrator access must be rigorously\r\nprotected, as compromise at this level effectively grants attackers full control over deployment mechanisms.\r\nThe campaign also highlights the growing role of cloud platforms in modern espionage operations. Visibility into\r\ncloud API usage and abnormal access patterns is now as critical as monitoring traditional network traffic.\r\nClosing Analysis\r\nThe Chinese APT known as LongNosedGoblin illustrates a mature and disciplined approach to cyberespionage.\r\nBy combining reconnaissance-driven targeting, abuse of trusted enterprise mechanisms, and cloud-based\r\ncommand infrastructure, the group achieves long-term access with minimal visibility.\r\nThis operation reinforces a broader trend in state-aligned threat activity, where success is measured not by rapid\r\nexploitation, but by persistence, discretion, and sustained intelligence collection. Organizations responsible for\r\nhttps://botcrawl.com/chinese-apt-longnosedgoblin-targets-government-networks-in-southeast-asia-and-japan/\r\nPage 4 of 5\n\nsensitive government data must assume that administrative tooling and cloud services are potential attack surfaces\r\nand adapt their defensive strategies accordingly.\r\nSource: https://botcrawl.com/chinese-apt-longnosedgoblin-targets-government-networks-in-southeast-asia-and-japan/\r\nhttps://botcrawl.com/chinese-apt-longnosedgoblin-targets-government-networks-in-southeast-asia-and-japan/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://botcrawl.com/chinese-apt-longnosedgoblin-targets-government-networks-in-southeast-asia-and-japan/"
	],
	"report_names": [
		"chinese-apt-longnosedgoblin-targets-government-networks-in-southeast-asia-and-japan"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3ede153b-35d6-447d-83f7-299dd1bedc64",
			"created_at": "2026-01-18T02:00:03.065065Z",
			"updated_at": "2026-04-10T02:00:03.902886Z",
			"deleted_at": null,
			"main_name": "LongNosedGoblin",
			"aliases": [],
			"source_name": "MISPGALAXY:LongNosedGoblin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434916,
	"ts_updated_at": 1775792208,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac01531bddc32b58c133b3ed7429b025001ffad9.pdf",
		"text": "https://archive.orkl.eu/ac01531bddc32b58c133b3ed7429b025001ffad9.txt",
		"img": "https://archive.orkl.eu/ac01531bddc32b58c133b3ed7429b025001ffad9.jpg"
	}
}